Post navigation

Update on the CISA Bill

The bill that I brought up in my last presentation has been making headway ever since, though no one is sure if it’s for worse or better. For those who don’t remember, this bill was the one that would allow the government and private companies to share data–including personal information–with each other in order to “to prevent and respond to cybersecurity threats.” As was aptly pointed out last time around, it was clear that there were a lot of loopholes in this bill that would essentially allow the government/companies to share whatever data they deemed necessary without any users knowing that their personal information was being circulated.

On March 12th, a slightly updated version of the bill was passed by a vote of 14-1. The one man who voted against it, Senator Ron Wyden, had this to say: “If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill—it’s a surveillance bill by another name. It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.” These worries aren’t unfounded, as the most recent publicly released iteration of CISA (Cybersecurity Information Sharing Act) shows that it also allows for sharing of private data that could “prevent terrorism or an imminent threat of death or serious bodily harm.” Robyn Greene, of the Open Technology Institute privacy counsel, argues that could mean CISA might “facilitate investigations into garden-variety violent crimes that have nothing to do with cyber threats.” Even more worrying is the fact that the information could be used in investigations into crimes with no connection to cybersecurity, like carjacking or ID fraud; while these crimes are terrible, they should not be investigated using information that is ostensibly only about cybersecurity.

There is still some hope for this bill being an actually good thing though, depending on how you look at it. Before it was passed, a closed-door session saw a dozen amendments added onto the bill, none of which have had information released about them yet, though intelligence committee chairman Richard Burr said that some of them were designed to prevent user information from being shared with the government too openly. If all goes well and we believe strongly enough, this bill could have had enough protections for users added into it that it can be an objectively good thing in preventing cyber crime in coming years. But, if all goes poorly, then the bill has potential to seriously harm privacy rights. The fact that these amendments were added without public knowledge of what they are is a seemingly damning factor, but for now, it’s unclear just how good or bad this really could be.